Attacks on security vulnerability that exist in an OS (Operating System) or in an application program (hereinafter will be simply called “application”) have been causing damages such as tampering with data or a program, forcing shutdown of a computer or an application, or illegal invasion or illegal operation of a computer.
In recent years, attacks on Web applications that operate on Web servers are increasing, and leaking and altering of confidential information and personal information, and illegal use of services are becoming a social problem.
Attacks on Web applications are done by inserting illegal data in a request for an HTTP (HyperText Transfer Protocol) which is input data from a client to a Web application.
Vulnerability of a Web application differ depending on processing contents that use the input data, and it is known that there are a plurality of types such as a cross-site scripting and an SQL injection.
For example, the cross-site scripting is an attack that takes advantage of vulnerability of a process that dynamically generates HTML (HyperText Markup Language) data, and this vulnerability allows an insertion of a script into the HTML data.
An SQL injection is an attack that takes advantage of vulnerability of a process that issues SQL statements for data operation of a relational database, and this vulnerability allows execution of an SQL statement unexpected by the application.
Since illegal data for attacking vulnerability differ depending on types of vulnerability, countermeasures against them also differ.
For example, as one of methods to execute the cross-site scripting, there is a method to include a <SCRIPT> tag into a request as illegal data.
A countermeasure against cross-site scripting is to make the <SCRIPT> tag in the HTML to be generated harmless according to HTML syntax so that the <SCRIPT> tag is not interpreted as the <SCRIPT> tag.
As for the SQL injection, there is a method to insert a “′” for enclosing a string to terminate the string, and insert an arbitrary SQL statement after.
The countermeasure against the SQL injection such as the above is to make the “′” included in the input data harmless according to syntax of SQL so that the “′” does not mean a character that encloses the string.
Conventionally, mainly two countermeasures described below have been taken to defend against attacks on the vulnerability of a Web application.
A first is incorporating a security function that evaluates input data which generates various types of vulnerability to make illegal data harmless into a Web application itself, depending on processing contents in which vulnerability may occur.
A second defense method is using a Web application firewall that inspects an HTTP request for a Web application before the HTTP request reaches the Web application to block or make harmless the HTTP request which may incur an attack.
As for the first defense method, guidelines on security functions, etc. to be incorporated are published by organizations such as OWASP (The Open Web Application Security Project).
As a method to assist incorporating a security function, a method to analyze a source code of a program so as to detect a position where vulnerability may occur is known (for example, Patent Literature 1).
As for the Web application firewall of the second defense method, a general method is to evaluate whether or not a pattern of illegal data registered beforehand is included, and to block communication or to make data harmless if the pattern of illegal data is included in the HTTP request (for example, Non-patent Literature 1).
There is a method to use a library that performs various types of vulnerability countermeasures (for example, Patent Literature 2).
In this method, the setup file is read which describes whether or not a countermeasure is necessary for each parameter of a request, the setup file being created by a developer, and the library is used which performs a countermeasure designated for each parameter at the time of receiving the HTTP request according to the setup file, thereby the countermeasure for the vulnerability of the web application can be efficiently implemented.